Machine learning deemed a high security risk, survey finds

The CERT Division of Carnegie Mellon University’s Software Engineering Institute has published an updated list of technologies that might give us headaches in the security department. Both machine learning and blockchain have made the cut but that’s actually not a comforting thought, especially since the former is one of the three domains that must be considered high priority for outreach and analysis in 2017.

The CERT Division of Carnegie Mellon University’s Software Engineering Institute has published an updated list of technologies that might give us headaches in the security department. The latest report can be considered an addendum to the CERT/CC 2016 Emerging Technology Domains Risk Survey.

One of the goals of this report is to help the Department of Homeland Security United States Computer Emergency Readiness Team (US-CERT) “make an informed decision about the best areas to focus resources for identifying new vulnerabilities, promoting good security practices, and increasing understanding of systemic vulnerability risk.”

Understanding trends and emerging technologies can help information security professionals, leaders of organizations, and others interested in information security to anticipate and prepare for such vulnerabilities.

Blockchain — Risky business?

This technology is still developing and has only one proven business model to date, which is Bitcoin itself. However, with the amount of research being done in multiple industries, it is likely that blockchain-related technologies will become more widespread in the near future.

Although Gartner has previously estimated that blockchain needs 5-10 years to reach maturity (a.k.a. go mainstream), the CERT/CC believes “mainstream adoption will happen toward the end of that range, when distributed, computable trust becomes crucial to autonomous systems and systems-of-system.”

They also revealed that “the potential impact for security vulnerabilities in the blockchain ecosystem depends on the value of the information it is protecting.” This basically means that blockchain has its risks (of course) but it could also mean it’s not the spawn of the devil.

Machine learning

As a component technology, machine learning does not easily fit into a general strategy of observation. The CERT/CC suggests monitoring individual emerging technologies on a case-by-case basis for characteristic uses of machine learning to identify the gravity of potential abuses. Characteristics of interest likely include big data applications dealing with sensitive information, security products whose efficacy depends on effective anomaly detection, and learning sensors that inform actions in physical reality (such as in self-driving vehicles).

Although Gartner estimates that machine learning is within 2–5 years of mainstream adoption, the CERT/CC expects this to be “one of the most aggressive and quickly adopted technology trends over the next several years.”

One risk that goes hand in hand with the use of machine learning is the potential for theft or leakage. A machine learning algorithm can be used to introduce malicious or specially crafted data — this can lead to inaccurate conclusions or incorrect behavior.

If you want to read the CERT/CC’s findings with regard to the other emerging technologies, check out the report.

Conclusions

The technologies analyzed in this report are expected to reach maturity before 2025.

This report provides an understanding of cybersecurity issues that may result as part of each domain’s adoption in the future.

Intelligent Transportation Systems, Machine Learning and Smart Robots have the potential to have “widespread impacts on society.”

The other domains are considered to be “less widely applicable, at least in the near future” — for example, Blockchain and Virtual Personal Assistants “may appeal only to early adopters” while domains such as Smart Buildings and Robotic Surgery are specific to one industry. “The CERT/CC does not expect them to be adopted as widely in the next 12–18 months,” the report concluded.